Cross-Site Request Forgery in HelpDesk Contact Form Plugin for WordPress
CVE-2025-13657

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Helpdesk Contact Form Plugin
Vendor: CVE Published:; 7 January 2026

What is CVE-2025-13657?

The HelpDesk contact form plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF), due to improper nonce validation in the handle_query_args() function. This vulnerability allows unauthenticated attackers to manipulate essential settings, such as the plugin's license ID and contact form ID, by deceiving a site administrator into executing actions like clicking a link. It is crucial for administrators to ensure that proper nonce validation is implemented to protect against malicious exploits.

Affected Version(s)

HelpDesk contact form plugin * <= 1.1.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/helpdesk-conta...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Nov 25, 2025

Credit

Sopon Tangpathum (SoNaJaa)

JSON